Lack of validation of decoded assets returned from OrcaleResult in BuyerAgent::purchase
function will DoS buyerAgents to purchase the assets because there may be a chance that the OracleResult function might also returns Assets that are not listed to current BuyerAgent
. Because OracleResult
is truly depends upon the Generators Output. Generators can be anybody who register in LLMOracleRegistry
. And that makes OracleResult error prone.Due to which OrcleResult can sometimes return assets which are not listed to current BuyerAgent
The BuyerAgent::purchase()
function will purchase the assets returned from OracleResult
which usually the Generated Output data from LLMOracleCoordinator
. It has high chances that asset array may contain assets which are not listed to the current buyerAgent in that round , due to possible manipulation of OracleResult or any possible errors from the Generators. This will result in failure of purchase function below of the below validation check in swan
contract.
Because of this the buyerAgent can't able to purchase assets for this round.
Even because of one wrong Asset returned from the OracleResult makes the Whole OracleResult unusable. Buyer Agent have to perform another oraclePurchaseRequest , Due to which the BuyerAgent
have to pay the Oracle Fee again.
Attack Scenario:
Alice have a buyerAgent contract and he has some listers in his sell phase
Now he want to buy the assets as he is in buy phase and will call purchase()
in BuyerAgent.sol
after calling oraclePurchaseRequest()
to get the taskId
Lack of validation of address of assets array from OracleResult
may result in chance of storing an Asset which is not listed to the current BuyerAgent.
So when buyerAgent tries to purchase that other buyerAgent's asset in swan it will revert as listing.buyer != msg.sender
condition will revert
Due to this the buyerAgent can't able to purchase assets in that round
Due to this issue the buyerAgent and lister's who listed assets for this buyerAgent will be impacted. As this buyerAgent lost oracle fees which paid for LLM Coordinator for request operation. Also listers also lost the Royalties while listing assets, as their assets no more bought in this current round. Chances of acting maliciously is high.
Loss of Oracle Fee to the BuyerAgent
Because the Current OracleResult is Unusable and also have to make another oraclePurchaseRequest
Loss of Royalties paid by Listers to the BuyerAgent
Manual Inspection
Add necessary checks, try/catch blocks in the BuyerAgent::purchase()
to check whether the assets addresses in the assets
array are belong to this buyerAgent or not.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.